Conference Training Day - Two Day Training Courses - November 12th-13th, 2007

OWASP has arranged to have six 2-day Application Security training courses prior to the conference.

The first three courses will be provided by a long time contributor to OWASP, Aspect Security. The fourth course will be provided by another active OWASP member, the Arctec Group. The fifth course is being provided by Dinis Cruz, the OWASP Chief Evangelist. The sixth course is being presented by frequent OWASP/WASC contributor Breach Security. Most of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

T1

Building and Testing Secure Web Applications

T2

Secure Coding for Java EE

T3

Secure Coding .NET Web Applications

T4

Web Services and XML Security

T5

Leveraging OWASP Tools and Documents to Secure Your Enterprise

T6

ModSecurity Boot-Camp Training

*Note: Information corresponding to each training course is located below.

Pricing

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following web application security areas (which encompass the entire OWASP Top 10 plus more):

Authentication and Session Management

Access Control

Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Input Validation

Protecting Sensitive Data (w/ Crypto)

Caching, Pooling, and Reuse Errors

Database Security (Including SQL Injection)

Error Handling and Logging

Denial of Service

Code Quality

Accessing Services Securely

Setting Security Policy

Integrating Security into the SDLC

For each area, the course covers the following:

Theoretical foundations

Recommended security policies

Common pitfalls when implementing

Details on historical exploits

Best practices for implementation

Hands on Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:

Java EE security overview,

All coding examples and recommendations are specifically focused on Java and Java servers, and

3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

To make room for this Java specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most Java EE based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how Java EE web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following Java EE web application security areas (which encompass the entire OWASP Top 10 plus more):

Authentication and Session Management

Access Control

Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Input Validation

Protecting Sensitive Data (w/ Crypto)

Database Security (Including SQL Injection)

Error Handling and Logging

Code Quality

For each area, the course covers the following:

Theoretical foundations

Recommended security policies

Common pitfalls when implementing

Details on historical exploits

Best practices for implementation

Hands on Testing Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Hands on Coding Exercises (Only in Java specific version of this class!)

For this Java focused course, students will additionally have the opportunity to find, exploit, and then fix Java coding vulnerabilities in three different Java labs using Eclipse.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:

.NET Framework security overview,

All coding examples and recommendations are specifically focused on .NET, and

3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class.

This class covers, and includes examples from, both C# and ASP.NET.

To make room for this .NET specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for .NET course.

Course Overview

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

Details

This course starts with a module designed to raise awareness of just how insecure most .NET based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how .NET web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following .NET web application security areas (which encompass the entire OWASP Top 10 plus more):

Authentication and Session Management

Access Control

Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Input Validation

Protecting Sensitive Data (w/ Crypto)

Database Security (Including SQL Injection)

Error Handling and Logging

Code Quality

For each area, the course covers the following:

Theoretical foundations

Recommended security policies

Common pitfalls when implementing

Details on historical exploits

Best practices for implementation

Hands on Testing Exercises

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

Hands on Coding Exercises (Only in .NET specific version of this class!)

For this .NET focused course, students will additionally have the opportunity to find, exploit, and then fix .NET coding vulnerabilities in three different .NET labs using Visual Studio.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

Apart from OWASP's Top 10, most OWASP projects (https://www.owasp.org/index.php/Category:OWASP_Project) are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL)

This course aims to change that by providing detailed presentations of the most mature and enterprise ready projects together with practical examples of how to use them.

Curriculum

Part 1: OWASP Documentation Projects

Part 2: OWASP Tools

Part 3: Using OWASP in the Enterprise

Part 4: Using OWASP in the WADL (Web Application Development Lifecycle)

Hands on Exercises

The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a laptop.

T6. ModSecurity Boot-Camp Training - 2-Day Course - Nov 12-13, 2007

Course Overview

ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day, boot-camp class is designed for those people who want to quickly learn how to build, deploy, and use ModSecurity in the most effective manner possible. The course will cover topics such as: the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers, and also provides an in-depth look at the extremely powerful ModSecurity Rules Language. Learning how to take advantage of the power behind ModSecurity rules can help web security professionals write and configure highly effective rules to handle complex web vulnerabilities. Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.

Hands-on labs will include a unique challenge where the participants will have to use ModSecurity to try and mitigate as many vulnerabilities as possible in the OWASP WebGoat application.

Requirements

If you are interested in participating in the hands on portion of the course, please bring a laptop. The class will use a custom VMware image so you will need to have VMware Player, Workstation or Server pre-installed. Additionally, some of the tools we will be using outside of the VMware host will require Java so ensure that you have installed/updated to the latest version.